Method and system for operating an extension on a measuring transducer of process automation technology

ABSTRACT

The present disclosure discloses a method for operating an expansion of a measuring transducer of process automation technology, comprising at least the steps: Starting the measuring transducer by starting its operating software; connecting the extension to the measuring transducer; establishing data communication between extension and measuring transducer, wherein the extension and the measuring transducer form an asymmetric cryptosystem; and the extension interacts with the measuring transducer.

CROSS-REFERENCE TO RELATED APPLICATION

The present application is related to and claims the priority benefit ofGerman Patent Application No. 10 2017 129 698.0, filed on Dec. 13, 2017,the entire contents of which are incorporated herein by reference.

TECHNICAL FIELD

The present disclosure relates to a method for operating an extension ona measuring transducer of process automation technology. The presentdisclosure further relates to a system for implementing the method.

BACKGROUND

Generally speaking, a measuring transducer is a device that converts aninput variable into an output variable according to a fixedrelationship. In process automation technology, a sensor is, forexample, connected to a measuring transducer. The raw measured values ofthe sensor are processed in the measuring transducer, e.g., averaged orconverted by means of a calibration model to another variable—forexample, the process variable to be determined—and possiblytransmitted—to a control system, for example.

Generally, a cable for connection to the sensor is connected to themeasuring transducer. The measuring transducer is in this case aseparate device with a separate housing and various interfaces.Alternatively, the measuring transducer can be integrated, e.g., in theform of a circuit—possibly as a microcontroller or somethingsimilar—into a cable or directly into a plug connection (see below).

The connection of the cable to the sensor is frequently accomplished viaa plug connection, e.g., by galvanically decoupled—especially,inductive—interfaces. Thus, electrical signals can be transmittedcontactlessly. Advantages with regard to corrosion protection,electrical isolation, prevention of mechanical wear of the plug, etc.,are shown by this galvanic isolation. The applicant markets such systemsunder the name, “Memosens.”

The most varied sensors can be connected to the measuring transducer.Under the aforementioned name, “Memosens,” the applicant markets sensorsfor measuring pH value, conductivity, oxygen, turbidity, and otherthings.

The field device connected to the measuring transducer, i.e., thesensor, for example, is parameterized, and other settings are changedvia the measuring transducer. For this purpose, the measuring transducerhas a display and possibilities for making entries, e.g., via buttons,switches, touch display or via external devices that are connected tothe measuring transducer via a wireless or wired interface (such as USB,serial or parallel interface, RS-232, Bluetooth, etc.).

Generally, “authenticity” means authenticity in the sense of “found asoriginal”. For the purposes of this application, authenticity means “arethe data actually coming from the <<correct>>sender?” Applied to theaforementioned measuring transducer, the question is: Is the connectedsensor really the sensor that it says it is?

In general, “integrity” means the correctness (integrity) of data andthe correct functioning of systems. Applied to the aforementionedmeasuring transducer, the question is: Were the data received by themeasuring transducer unaltered, and are they therefore identical to thedata which were sent by the sender (here: the sensor)?

SUMMARY

The object of the present disclosure is to check the reliability of thecommunication between the sensor and the measuring transducer.

The object is achieved by a method comprising the steps of: Starting themeasuring transducer by starting its operating software; connecting theextension to the measuring transducer; establishing data communicationbetween extension and measuring transducer, wherein the extension andthe measuring transducer form an asymmetric cryptosystem; and theextension interacts with the measuring transducer.

An asymmetric cryptosystem is a cryptographic method in which thecommunicating parties (here: measuring transducer and extension) neednot know a common secret key. In general, each user generates his ownkey pair comprising a secret part (private key) and a non-secret part(public key). The public key enables anyone to encrypt data for theowner of the private key, check his digital signatures or authenticatehimself. The private key allows its owner, to encrypt data with thepublic key, to generate digital signatures or authenticate himself.

Within the meaning of this application, an “extension” changes thefunction of the measuring transducer. This can be, for example, expandedor supplemented functions or an expanded or supplemented functionalscope of the measuring transducer. At least two embodiments of theextension are possible. On the one hand, the extension is configured ashardware such as a sensor which can be connected to the measuringtransducer. On the other hand, the extension is configured as software.An extension is not primarily a part of the measuring transducer, i.e.,it is explicitly not part of the operating system. The extension isloaded at runtime. The extension is, in particular, loaded from a memoryat runtime. The memory can in this case be implemented as memory firmlyintegrated into the hardware of the measuring transducer (e.g., flashmemory), in the form of removable memory accessible to the user (e.g., amemory card), or in the form of a network memory that is addressed bydata communication (e.g., a file server). In one embodiment, theextension configured as software is transmitted to the measuringtransducer by the extension that is connected to the measuringtransducer and designed as hardware, such as a sensor.

Generally, in this embodiment the extension is thus software code thatis formulated in a certain (programming) language and executed on themeasuring transducer.

In one embodiment, the method further comprises the steps: Performing achallenge-response method between the extension and the measuringtransducer; and determining the authenticity of the extension.

Of course, the opposite direction is also possible, namely the executionof a challenge response method between the measuring transducer and theextension to determine the authenticity of the measuring transducer fromthe point of view of the extension.

The challenge-response method is generally an authentication method of asubscriber based on knowledge. In this case, a subscriber poses a task(challenge) that the other must solve (response) in order to prove thathe has knowledge about a specific piece of information. If a first partywants to authenticate itself to a second party, then the second partysends a random message, such as a random number, to the first party(i.e., the second party poses the challenge). The first partysupplements this random message with its password, applies acryptological hash function or encryption to that combination, and sendsthe result to the second party (and thus provides the response). Thesecond party, knowing both the random message and the shared secret(=first party password) and the hash function or encryption used,performs the same calculation and compares its result with the responseit receives from the first party. If both data are identical, the firstparty has successfully authenticated itself.

In one embodiment, the method thus further comprises the steps: Themeasuring transducer sends a message known to the extension, inparticular a random message, to the extension; a signature from theunknown message is calculated by the extension by means of a signaturekey located thereupon; at least the signature is sent to the measuringtransducer; and the measuring transducer verifies the signature by meansof a verification code already present therein.

The signature key is the private key; the verification key is the publickey.

In particular if the extension is configured as a sensor, theauthenticity thereof can thus be determined. This method can checkwhether the connected sensor is actually the sensor that a claims to be;or in other words an “original sensor”.

Of course the reverse direction is also possible, i.e., the extensionsends a message known to the measuring transducer, in particular arandom message, to the extension; a signature from the unknown messageis calculated by the measuring transducer by means of a signature keylocated thereupon; at least the signature is sent to the extension; andthe extension verifies the signature by means of a verification codealready present therein. This allows the sensor to deny operation to aninvalid measuring transducer.

In one embodiment, the extension comprises a digital signature, and themethod further comprises the step of: The integrity of the extension isdetermined by the measuring transducer by means of a verification keyalready present therein.

The verification key is a public key, but not necessarily the same asthe one mentioned above.

Especially when the extension is designed as loadable software, theintegrity thereof can thus be determined. The extension (software)itself is signed. It is thus possible to determine whether the softwareto be loaded has been manipulated.

In one embodiment, the digital signature is generated by means of asignature key, in particular by the manufacturer of the extension.

The signature key is a private key, but not necessarily the same as thatmentioned above.

In one embodiment, further data communication is denied if theauthenticity or integrity is not confirmed. It can thus be ensured thatan extension that is not authenticated or integrious does not continueto operate.

In one embodiment, the method further comprises the step of: Activatinga limited functional scope of the measuring transducer if theauthenticity is not confirmed.

In one embodiment, if the authenticity or integrity is not confirmed,the functional operation is limited over time.

In one embodiment, the method further comprises the steps: Sending alicense to the measuring transducer, wherein the license comprises adigital signature; and the measuring transducer checks the integrity andauthorship by means of a verification key already present therein.

In one embodiment, a license is sent to the extension, wherein thelicense comprises a digital signature; and the integrity and authorshipof the license is checked by the extension by means of a verificationkey already present therein.

In particular if the extension is configured as a sensor, further safetyproperties can thus be assigned by the license.

In one embodiment, the license is tied to at least one of the followingcharacteristics: serial number, serial number range, manufacturer, type,genre or hardware components. This ensures that a certain license canonly work with a certain extension.

In one embodiment, the license defines the functional scope andauthorizations in the measuring transducer. The license thus makes itpossible for certain functionalities of the extension to be enabled orrestricted.

In one embodiment, the extension enters the license on adisplay/displays and input device(s) connected to the measuringtransducer or arranged therein by means of a storage medium from theInternet, or transmits it to or activates it on the measuring transducerby means of a wireless connection, in particular by means of a mobiledevice and app running thereon.

In one embodiment, the measuring transducer transmits the license to oractivates it for the extension.

The object is further solved by a system for implementing a method asdescribed above.

In one embodiment, the extension is configured as a sensor of processautomation technology.

In one embodiment, the signature key is located on a sensor storage areathat cannot be read out from the outside. In one embodiment, the sensorcomprises a trusted platform module.

A trusted platform module is a chip according to the TCG specification(The Trusted Computing Group (TCG) is an industry-operatedstandardization organization that develops an open standard for trustedcomputing platforms) that expands a computer or similar devices withbasic safety functions. The module behaves in some points like anintegral smartcard, but with the important difference that it is notbound to a specific user (user instance) but to the local computer(hardware instance).

In one embodiment, the extension is configured as a software modulewhich can be uploaded to the measuring transducer in order to expand itsfunctional scope.

BRIEF DESCRIPTION OF THE DRAWINGS

This will be explained in more detail with reference to the followingfigures.

FIGS. 1A and 1B shows the claimed system comprising a measuringtransducer in two different embodiments,

FIG. 2 shows the claimed method in an overview,

FIGS. 3A and 3B shows a diagram for determining the authenticity of thesensor or measuring transducer,

FIG. 4 shows a diagram for determining integrity.

DETAILED DESCRIPTION

In the figures, the same features are identified with the same referencesymbols.

The claimed measuring transducer 20 is for example used in a system 10.In addition to the measuring transducer 20, the system 10 comprises asensor 1 and a connection element 11, which shall be discussed first.Without limitation of generality, a “sensor 1” is spoken of below; evenso, an actuator or the like may, however, also be connected to themeasuring transducer 20. Generally, a field device is connected to themeasuring transducer 20.

FIG. 1A represents an embodiment of a system 10.

A sensor 1 communicates with a measuring transducer 20 via a firstphysical interface 3. The transducer 20 comprises a data processing unitμCA, for instance in the form of a microcontroller, and—separately orpart thereof—a memory 25. The measuring transducer 20 comprises at leastone slot 26 for a memory card, such as an SD card.

The measuring transducer 20 in turn is connected to a higher-level unit30, such as a control system, by a cable 31. A cable 21 is connected onthe sensor side to the measuring transducer 20, the other end of whichcable comprises a second physical interface 13 that is complementary tothe first physical interface 3. A connection element 11 comprises thecable 21, along with the second physical interface 13. The physicalinterfaces 3, 13 are designed as electrically isolated—in particular,inductive—interfaces. The physical interfaces 3, 13 can be coupled witheach other by means of a mechanical plug connection. The mechanical plugconnection is hermetically sealed, so that no fluid, such as the mediumto be measured, air, or dust, can enter from the outside.

Data (bi-directional) and power (uni-directional, i.e., from theconnection element 11 to the sensor 1) are transmitted or transferredvia the physical interfaces 3, 13. The system 10 is used predominantlyin process automation.

The sensor 1 comprises at least one sensor element 4 for detecting ameasurand of process automation. The sensor 1 is then, for example, a pHsensor, also called an ISFET design—generally, an ion-selective sensor,a sensor for measurement of the redox potential from the absorption ofelectromagnetic waves in the medium, e.g., with wavelengths in the UV,IR, and/or visible range, of the oxygen, of the conductivity, of theturbidity, of the concentration of non-metallic materials, or of thetemperature, along with the respectively corresponding measurand.

The sensor 1 comprises a first coupling body 2, which comprises thefirst physical interface 3. As mentioned, the first physical interface 3is designed for the transmission to a second physical interface 13 of avalue that is a function of the measurand. The sensor 1 comprises a dataprocessing unit μCS, such as a microcontroller, which processes thevalues of the measurand, e.g., converts them into a different dataformat. The data processing unit μCS is designed for energy and spacereasons to be rather small or economical with respect to the computingcapacity and the memory volume. The sensor 1 is thus designed only for“simple” computing operations—for example, for averaging, preprocessing,and digital conversion. The sensor 1 comprises one or more memories 5separately or as part of the data processing unit μCS.

Several sensors 1 can also be connected to a measuring transducer 20.Shown in FIG. 1A are two sensors 1, wherein only one of the two isprovided with all of the reference symbols. The same or differentsensors can be connected. The left one of the two is shown in theplugged-in state. Up to eight sensors can be connected to the measuringtransducer 20, for example.

The sensor 1 can be connected via the physical interfaces 3, 13 to theconnection element 11, and ultimately to the measuring transducer 20.The data processing unit μCS converts the value that depends upon themeasurand (i.e., the measurement signal of the sensor element 4) into aprotocol that the measuring transducer 20 can understand. An example inthis regard is, for example, the proprietary Memosens protocol. Thefirst and second physical interfaces 3, 13 are thus designed for thebi-directional communication between the sensor 1 and the measuringtransducer 20. As mentioned, in addition to the communication, the firstand second physical interfaces 3, 13 also ensure the supply of power tothe sensor 1.

The connection element 11 comprises the second physical interface 13,wherein the second physical interface 13 is designed to be complementaryto the first physical interface 3.

The connection element 11 comprises a second, cylindrical coupling body12 that is designed to be complementary to the first coupling body 2 andcan be slipped with a sleeve-like end portion onto the first couplingbody 2, wherein the second physical interface 13 is plugged into thefirst physical interface 3. An opposite arrangement, in which the secondphysical interface 13 is designed to be sleeve-like and the firstphysical interface 3 is designed to be plug-like, is possible, withoutany inventive effort.

The measuring transducer 20 comprises a display 22 and one or moreoperating elements 23, such as buttons or rotary buttons, by means ofwhich the measuring transducer 20 can be operated. Measured data, forexample, of the sensor 1 are displayed by the display 22. The sensor 1can also be configured and parameterized by means of the operatingelements 23 and the corresponding view on the display 20.

The measuring transducer 20 forwards the measured data via the cable 31,as mentioned, to a control system 30, for example. The control system 30is in this case designed as a process control system (PLC, SPS), PC, orserver.

To this end, the measuring transducer 20 converts the data into a dataformat that the control system can understand, e.g., into acorresponding bus, such as HART, Profibus PA, Profibus DP, FoundationFieldbus, Modbus RS485, or even into an Ethernet-based field bus, suchas EtherNet/IP, Profinet, or Modbus/TCP. These data are then forwardedto the control system 30. This can, if required, be combined with a webserver, i.e., they can be operated in parallel to one another.

FIG. 1B represents an embodiment of a sensor arrangement 10. In thiscase, only one sensor 1 is respectively connected to a measuringtransducer 20. The measuring transducer 20 is in this case illustratedsymbolically as a rectangle, is smaller in its dimensions than themeasuring transducer from FIG. 1A, and is approximately the size of amatchbox. The measuring transducer 20 can in this case be designed as aseparate unit that can be connected to the cable 21 or, as shown here,be integrated directly into the cable 21. The measuring transducer 20thus consists essentially of the data processing unit μCA. The measuringtransducer 20 does not include a display and has, if any, only one ortwo operating elements, which are configured for a reset or for turningon and off. In this embodiment, the measuring transducer 20 preferablycomprises no operating elements. The measuring transducer 20 thereforecomprises a wireless module 24, such as a Bluetooth module, with theprotocol stack, Bluetooth Low Energy. A mobile device (not shown), suchas a cellphone, tablet, laptop, etc., can thereby be wirelesslyconnected to the measuring transducer 20. By means of the mobile device,the sensor can be configured and parameterized using the wirelessconnection via the wireless module 24. The measuring transducer 20converts the raw measured data such that they are directly transmittedto a higher-level unit 30, such as the control system. As mentioned,data can, for example, be transmitted in a proprietary protocol from thesensor 1 to the connection element 11, while the data processing unitμCA converts this proprietary protocol into a bus protocol (Modbus,Foundation Fieldbus, HART, Profibus, EtherNet/IP; see above).

The firmware of the measuring transducer 20 can also be updated via thewireless module 24.

Also in the embodiment of the measuring transducer 20 from FIG. 1A, thiscan also contain a wireless module (not shown).

The measuring transducers in FIG. 1A and FIG. 1B essentially have thesame basic functionality.

FIG. 2 shows the claimed method 100 in an overview. Initially in a firststep 110, the measuring transducer is started by starting its operatingsoftware. In the next step 120, an extension is connected to themeasuring transducer. Then (reference numeral 130) data communicationbetween extension and measuring transducer is established. The extensionand the measuring transducer form an asymmetric cryptosystem. In thelast step 140, the extension interacts with the measuring transducer.

Within the meaning of this application, an “extension 40” changes thefunction of the measuring transducer 20. These can be, for example,expanded or supplemented functions, or an expanded or supplementedfunctional scope of the measuring transducer 20. At least twoembodiments of the extension are possible. On the one hand, theextension 40 is configured as hardware, such as a sensor 1, that can beconnected to the measuring transducer 20. On the other hand, theextension is configured as software 50. Generally in this embodiment,the extension 40 is thus software code that is formulated in a certain(programming) language and executed on the measuring transducer. Thesoftware 50, as an extension 40, is not primarily part of the measuringtransducer 20, i.e., it is explicitly not part of the operating system.The extension 40 is loaded during runtime. In particular, the extensionis loaded during runtime from a memory such as from the memory 5 of thesensor 1. The software 40 can be loaded from the memory 5 of the sensor1 into the memory 25 of the measuring transducer 20. Furthermore, whenthe measuring transducer 20 is delivered, the software 50 can already bein its memory 25. Likewise, the software 50 may be loaded into themeasuring transducer 20 via a memory card by means of the card slot 26.Wireless transmission into the memory 25 or via a network connection ofthe measuring transducer 20 is also possible.

The memory 5 of the sensor 1 comprises a memory area which cannot beread from the outside and on which one or more secret keys privK 1 arelocated (see below).

The measuring transducer 20 and the extension 40 form an asymmetriccryptosystem. Depending on the type of extension 40, this is configureddifferently.

In particular, if the extension 40 is configured as a sensor 1, achallenge-response method is carried out between them in order todetermine the authenticity of the sensor 1.

FIG. 3A shows a diagram for determining authenticity by means ofchallenge-response methods. The transducer 20 generates a random messageZ and sends it as a “challenge” to the sensor 1 as an extension 40. Theextension 40 calculates therefrom a signature S1 with a secret key privK1 (signature key or private key). The signature can be created forexample by using a hash function, and a subsequent encryption can takeplace with the secret key privK1 take place. The extension 40 sends thesignature S1 thus generated back to the measuring transducer 20 as a“response”. The transducer 20 verifies this signature S1 using a publickey pubK1 (verification, public-key) and thereby determines theauthenticity A of the extension.

Analogously, the authenticity A of the measuring transducer 20 can bedetermined by the sensor 1 as an extension 40, see FIG. 3B. In thiscase, the roles are switched in the above-described challenge-responsemethod: The challenge with the random message Z is sent by the extension40 to the measuring transducer 20 and is then returned with a signatureS1 generated using the signature key privK1 as a response to theextension 40. The extension 40 can determine whether the measuringtransducer 20 is authentic by the verification key pubK1 known thereto.

The random message Z generated by the sensor 1 must be cryptographicallysecure. A random message Z that was used once should ideally never occuragain, and no one should be able to deduce the next random message if heknows the last random message Z. Time stamps, which the sensor 1transmits together with the random message Z, bring about additionalsecurity.

In particular in the embodiment of extension 40 just mentioned, alicense is sent by the sensor 1 to the measuring transducer 20. Thislicense is provided with a signature and was generated by means of aprivate key. This private key may, but need not, be the same private keyas that discussed above. The measuring transducer 20 checks theintegrity and authorship of the license by means of a public key that isalready present therein. This public key may, but need not, be the samepublic key as that discussed above. The license defines the functionalscope and authorizations in the measuring transducer. The license istied to at least one of the following characteristics: serial number,serial number range, manufacturer, type, genre or hardware components ofthe measuring transducer 20.

A license can also be sent from the measuring transducer 20 to thesensor 1.

In particular, if the extension 40 is configured as software 50, itsintegrity is determined by means of a signature S.

In FIG. 4, initially the manufacturer H of the extension 40 configuredas software 50 creates a signature S2 using a private key privK2(signature key or private-key). The extension 40 thus comprises thesignature S2. This private key privK 2 may, but does not have to, be thesame private key as that explained above (reference sign privK1 or theprivate key for generating the signature of the license). Alternatively,the extension 40 is transmitted to the measuring transducer 20, forinstance by means of a memory card (card slot 26), wirelessly via awireless connection, from a network memory or from the sensor 1. Themeasuring transducer 20 checks the signature by means of a public keypubK2 (public key verification key). This public key pubK2 can, but neednot, be the same public key as that explained above (reference numeralpubK1 or the public key for checking the signature of the license). Thisdetermines the integrity I of the extension 40.

In both cases, further communication between measuring transducer 20 andextension 40 is denied if the authenticity or integrity has not beenconfirmed. Alternatively, the functional scope of the measuringtransducer 20 is severely limited.

The invention claimed is:
 1. A method for operating an extension of ameasuring transducer of process automation technology, wherein theextension is a software module that can be uploaded to the measuringtransducer to expand a functional scope of the measuring transducer, themethod comprising: starting the measuring transducer by starting itsoperating software; uploading the extension to the measuring transducerand connecting the extension to the measuring transducer; establishingdata communication between the extension and the measuring transducer;forming an asymmetric cryptosystem between the extension and themeasuring transducer; and interacting the extension with the measuringtransducer.
 2. The method according to claim 1, further comprising:performing a challenge-response method between the extension and themeasuring transducer; and determining an authenticity of the extension.3. The method according to claim 2, further comprising: sending a randommessage unknown to the extension from the measuring transducer to theextension; calculating a signature on the unknown message by theextension using a signature key located in the extension; sending thesignature to the measuring transducer; and verifying the signature bythe measuring transducer using a verification key present in themeasuring transducer.
 4. The method according to claim 1, wherein theextension includes a digital signature, the method further comprising:determining by the measuring transducer an integrity of the extensionusing a verification key present in the measuring transducer.
 5. Themethod according to claim 4, wherein the digital signature is calculatedusing a signature key from the manufacturer of the extension.
 6. Themethod according to claim 2, further comprising: rejecting further datacommunication if the authenticity is not confirmed.
 7. The methodaccording to claim 4, further comprising: rejecting further datacommunication if the integrity is not confirmed.
 8. The method accordingto claim 2, further comprising: activating a limited functional scope ofthe measuring transducer if the authenticity is not confirmed.
 9. Themethod according to claim 4, further comprising: activating a limitedfunctional scope of the measuring transducer if the integrity is notconfirmed.
 10. The method according to claim 2, further comprising:limiting in time a functional operation of the measuring transducer ifthe authenticity is not confirmed.
 11. The method according to claim 4,further comprising: limiting in time a functional operation of themeasuring transducer if the integrity is not confirmed.
 12. The methodaccording to claim 2, further comprising: sending a license to themeasuring transducer, the license including a digital signature; andverifying by the measuring transducer an integrity and an authorship ofthe license using a verification key present in the measuringtransducer.
 13. The method according to claim 12, wherein the license islinked to at least one of the following characteristics: a serialnumber, a serial number range, a manufacturer, a type, a genre orhardware components of the measuring transducer.
 14. The methodaccording to claim 12, wherein the license establishes a functionalscope and authorizations in the measuring transducer.
 15. The methodaccording to claim 12, wherein the extension enters the license from astorage medium, from the Internet, on a display and input deviceconnected to the measuring transducer or arranged in the measuringtransducer, or transmits it to or activates it on the measuringtransducer using a wireless connection, including using a mobile deviceand app running on the mobile device.
 16. A system, comprising: ameasuring transducer; and an extension of the measuring transducer,wherein the extension is a software module that can be uploaded to themeasuring transducer to expand a functional scope of the measuringtransducer, wherein the measuring transducer is configured to establisha data communication between the extension and the measuring transducer,to form an asymmetric cryptosystem with the extension, and to interactwith the extension.
 17. The system according to claim 16, wherein themeasuring transducer is further configured to send to the extension arandom message unknown to the extension, wherein the extension isconfigured to calculate a signature on the unknown message using asignature key located in the extension and to send the signature to themeasuring transducer, and wherein the measuring transducer is furtherconfigured to verify the signature using a verification key present inthe measuring transducer.
 18. A measuring transducer configured toexecute a method including: starting the measuring transducer bystarting its operating software; uploading an extension to the measuringtransducer and connecting the extension to the measuring transducer,wherein the extension is a software module that can be uploaded to themeasuring transducer to expand a functional scope of the measuringtransducer; establishing a data communication between the extension andthe measuring transducer; forming an asymmetric cryptosystem between theextension and the measuring transducer; and interacting the extensionwith the measuring transducer.